notebooks.tf 5.99 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# enable APIs required for OS patching
resource "google_project_service" "os-config-api" {
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    service = "osconfig.googleapis.com"
}

resource "google_project_service" "container-analysis-api" {
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    service = "containeranalysis.googleapis.com"
}

resource "google_project_service" "compute-scanning" {
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    service = "computescanning.googleapis.com"
}

# set GCE Metadata for OS patching
resource "google_compute_project_metadata" "os_patching" {
  for_each = { for v in local.worker_projects : v => v }
  project = google_project.hipaa_project[each.key].project_id
  metadata = {
    enable-guest-attributes	= true
    enable-osconfig	= true   
  }
}

Kenny Moore's avatar
Kenny Moore committed
30
31
32
33
34
35
resource "google_project_service" "notebooks_api" {
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    service = "notebooks.googleapis.com"
}

36
resource "google_project_iam_binding" "datalab_service_account_iam_binding" {
37
38
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
39
    role    = "roles/bigquery.jobUser"
Kenny Moore's avatar
Kenny Moore committed
40
    
41
    members = compact([ for v in var.datalab_user_list : v["project"] == each.value ? "serviceAccount:${google_service_account.datalab_service_account[v["username"]].email}" : "" ])
42
43
}

Kenny Moore's avatar
Kenny Moore committed
44
# DO WE NEED THIS?
Adam Robinson's avatar
Adam Robinson committed
45
resource "google_project_service" "sourcerepo-api" {
46
47
48
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    service = "sourcerepo.googleapis.com"
Adam Robinson's avatar
Adam Robinson committed
49
50
}

Adam Robinson's avatar
Adam Robinson committed
51
resource "google_sourcerepo_repository" "datalab-notebooks" {
52
    for_each = { for v in local.worker_projects : v => v }
Adam Robinson's avatar
Adam Robinson committed
53
    name = "datalab-notebooks"
54
    project = google_project.hipaa_project[each.key].project_id
Adam Robinson's avatar
Adam Robinson committed
55
    depends_on = [ google_project_service.sourcerepo-api ]
Adam Robinson's avatar
Adam Robinson committed
56
57
58
}

resource "google_compute_network" "datalab-network" {
59
    for_each = { for v in local.worker_projects : v => v }
Adam Robinson's avatar
Adam Robinson committed
60
61
    name = "datalab-network"
    auto_create_subnetworks = true
62
    project = google_project.hipaa_project[each.key].project_id
63
    description = "Network for Google Cloud Datalab instances"
Adam Robinson's avatar
Adam Robinson committed
64
65
}

66
resource "google_compute_firewall" "datalab-network-allow-ssh" {
67
    for_each = { for v in local.worker_projects : v => v }
68
69
    name = "datalab-network-allow-ssh"
    description = "Allow SSH access to Datalab instances"
70
71
    network = google_compute_network.datalab-network[each.key].name
    project = google_project.hipaa_project[each.key].project_id
72
73
74
    
    priority = 1000
    direction = "INGRESS"
75
    source_ranges = [
76
        "0.0.0.0/0"
77
    ]
78
79
80
81
82

    allow {
        protocol = "tcp"
        ports    = [ "22" ]
    }
83
}
84

85
86
87
88
89
90
91
92
93
resource "google_project_iam_binding" "view_compute_instances" {
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    role = "roles/compute.viewer"
    members = [
        "group:${local.worker_project_email[each.key]}",
    ]
}

Kenny Moore's avatar
Kenny Moore committed
94
95
96
97
98
99
100
101
102
resource "google_project_iam_binding" "view_notebooks" {
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    role = "roles/notebooks.viewer"
    members = [
        "group:${local.worker_project_email[each.key]}",
    ]
}

103
resource "google_service_account" "datalab_service_account" {
104
    for_each = { for v in var.datalab_user_list : v["username"] => v["project"] }
105
106
107
108
109
    account_id = "datalab-${split("@", each.key)[0]}"
    project = google_project.hipaa_project[each.value].project_id
}

resource "google_service_account_iam_binding" "datalab_service_account_iam_binding" {
110
    for_each = { for v in var.datalab_user_list : v["username"] => v["username"] }
111
112
113
114
115
116
117
    service_account_id = google_service_account.datalab_service_account[each.key].name
    role = "roles/iam.serviceAccountUser"
    members = [
        "user:${each.key}",
    ]
}

Kenny Moore's avatar
Kenny Moore committed
118
data "google_iam_policy" "notebook_user_to_instance_policy" {
119
    for_each = { for v in var.datalab_user_list : v["username"] => v["username"] }
120
121
122
123
124
125
126
127
128
    binding {
        role = "roles/compute.instanceAdmin.v1"

        members = [
            "user:${each.key}",
        ]
    }
}

Kenny Moore's avatar
Kenny Moore committed
129
resource "google_compute_instance_iam_policy" "notebook_user_to_instance_binding" {
130
    for_each = { for v in var.datalab_user_list : v["username"] => v["project"] }
Kenny Moore's avatar
Kenny Moore committed
131
    instance_name  = google_notebooks_instance.worker_nb[each.key].name
132
    project = google_project.hipaa_project[each.value].project_id
Kenny Moore's avatar
Kenny Moore committed
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
    zone = data.google_compute_zones.notebooks.names[0]
    policy_data = data.google_iam_policy.notebook_user_to_instance_policy[each.key].policy_data
}

resource "google_notebooks_instance" "worker_nb" {
  provider        = google-beta
  for_each        = { for v in var.datalab_user_list : v["username"] => v }
  project         = google_project.hipaa_project[each.value["project"]].project_id
  name            = "notebook-${split("@", each.key)[0]}" 
  location        = data.google_compute_zones.notebooks.names[0]
  network         = google_compute_network.hipaa-shared-vpc.id
  subnet          = google_compute_subnetwork.worker_subnet[var.notebook_region].id
  machine_type    = each.value["machine_type"]
  service_account = google_service_account.datalab_service_account[each.key].email
  instance_owners = each.value["username"]
  vm_image {
    project         = "deeplearning-platform-release" # needs a var?
Kenny Moore's avatar
Kenny Moore committed
150
151
    # image_family    = "tf-latest-cpu" # needs a var?
    image_family    = each.value["image"]
152
  }
Kenny Moore's avatar
Kenny Moore committed
153
154
155
156
157
158
159
160
161
162
163
# temporary - waiting on bug fix
    lifecycle {
        ignore_changes = [
            subnet,
            network,
            instance_owners,
        ]
    }

  depends_on = [ google_project_service.notebooks_api, google_compute_subnetwork_iam_binding.worker_subnet_binding ]
}